Reviewed-by: NRichard Levitte <levitte@openssl.org>

* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

Add functions to determine authentication, key-exchange, FIPS and AEAD.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

 - Always prefer forward-secure handshakes.
 - Consistently order ECDSA above RSA.
 - Next, always prefer AEADs to non-AEADs, irrespective of strength.
 - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
 - Prefer TLS v1.2 ciphers to legacy ciphers.
 - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
   list to reduce ClientHello bloat.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NBen Laurie <ben@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

Change the ECC default curve list to be this, in order: x25519, secp256r1,
secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1, and brainpool512r1.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.
Reviewed-by: NRich Salz <rsalz@openssl.org>

1) Simplify code with better PACKET methods.

2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.

3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.

4) Send an alert on ALPN protocol mismatch.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Signed-off-by: NRich Salz <rsalz@akamai.com>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

The ubsec engine is now considered obsolete and therefore has been
removed.
Reviewed-by: NRich Salz <rsalz@openssl.org>

The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure.  Let's avoid confusion,
choose one of them and stick to it.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

INSTALL_PREFIX is a confusing name, as there's also --prefix.
Instead, tag along with the rest of the open source world and adopt
the Makefile variable DESTDIR to designate the desired staging
directory.

The Configure option --install_prefix is removed, the only way to
designate a staging directory is with the Makefile variable (this is
also implemented for VMS' descrip.mms et al).
Reviewed-by: NRich Salz <rsalz@openssl.org>

To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Add utility macros REF_ASSERT_NOT and REF_PRINT_COUNT
This is also RT 4181
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is
stripped by BN_bn2bin but external callers may have other expectations.

Reviewed-by: Kurt Roeckx<kurt@openssl.org>

CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.
Reviewed-by: NRich Salz <rsalz@openssl.org>

PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.
Reviewed-by: NRich Salz <rsalz@openssl.org>

There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h
Reviewed-by: NAndy Polyakov <appro@openssl.org>

The use of the uninitialized buffer in the RNG has no real security
benefits and is only a nuisance when using memory sanitizers.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Add details about the latest issues fixed in the forthcoming release.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Many options for supporting optimizations for legacy crypto on legacy
platforms have been removed.  This simplifies the source code and
does not really penalize anyone.
        DES_PTR (always on)
        DES_RISC1, DES_RISC2 (always off)
        DES_INT (always 'unsigned int')
        DES_UNROLL (always on)
        BF_PTR (always on) BF_PTR2 (removed)
        MD2_CHAR, MD2_LONG (always 'unsigned char')
        IDEA_SHORT, IDEA_LONG (always 'unsigned int')
        RC2_SHORT, RC2_LONG (always 'unsigned int')
        RC4_LONG (only int and char (for assembler) are supported)
        RC4_CHUNK (always long), RC_CHUNK_LL (removed)
        RC4_INDEX (always on)
And also make D_ENCRYPT macro more clear (@appro)

This is done in consultation with Andy.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

--prefix is now exclusively used for software and manual installation.
--openssldir is not exclusively used as a default location for certs,
keys and the default openssl.cnf.

This change is made to bring clarity, to have the two less
intertwined, and to be more compatible with the usual ways of software
installation.

Please change your habits and scripts to use --prefix rather than
--openssldir for installation location now.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

The GOST engine is now out of date and is removed by this commit. An up
to date GOST engine is now being maintained in an external repository.

See:
https://wiki.openssl.org/index.php/BinariesReviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

The entropy-gathering daemon is used only on a small number of machines.
Provide a configure knob so that EGD support can be disabled by default
but re-enabled on those systems that do need it.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>